Transmission system, a method and an apparatus providing access for IP data packets to a firewall protected network

ABSTRACT

The invention provides a transmission system, for example, an ATM transmission system, which is adapted for the transmission of IP data packets, and which includes an IP-network, a network protected by a firewall, and means for temporarily opening the firewall to enable IP data packets to be transmitted through the firewall to the protected network. The firewall operates in a manner whereby a particular type of IP-packet, i.e. a Ping (ICMP)-packet, is allowed to pass through the firewall, IP-traffic can pass through the firewall from the inside thereof to the outside thereof, and IP-traffic, similar to that which is sent from the inside of the firewall to the outside of the firewall, can be transmitted through the firewall to the protected network for a limited period of time. In particular, the firewall opening means include two IC-breakers, which are located on opposite sides of said firewall, and which have a structure and functionality dictated by the manner in which the firewall operates. In other words, when an IP data packet, destined for the protected networks, is received by the IC-breaker located on the outside of the firewall, the IC-breakers are adapted to communicate with each other to create the temporary opening in the firewall via which the IP data packet is sent to the protected network.

The invention relates to transmission systems which are adapted for thetransmission of IP (Internet Protocol) data packets through a firewall,the system including means adapted to temporarily open the firewall toenable IP data packets to be transmitted therethrough, a method for thetransmission of IP data packets to a system inside a firewall, apparatusfor providing access to a firewall protected network, and acommunications system including the transmission system of the presentinvention, or operating in accordance with the method of the presentinvention.

It is known to use a firewall and other equipment to block incomingtraffic, such as, IP (Internet Protocol) data packets, but the problemwith a firewall and other equipment designed to block incoming datapackets, is that it can be very difficult to remotely control systemswhich are inside the firewall.

When an attempt is made by a computer to contact another computer,difficulties are sometimes experienced in obtaining a reply from thecomputer. In these circumstances, it is possible to use a Ping serviceto determine whether, or not, the computer is connected to the network.In operation, the Ping service sends a message, in the form of a datapacket, to the computer, with which contact is required, and when thecomputer receives the data packet it sends it back to the sender. If thedata packet is not returned, then the sender will be aware that thecomputer is not connected to the network. In Windows, the Ping servicecan be run from DOS.

It is an object of the present invention to provide a transmissionsystem, adapted for the transmission of IP (Internet Protocol) datapackets through a firewall, the system including means adapted totemporarily open the firewall to enable IP data packets to betransmitted therethrough. The firewall opening means are provided by twoIC-breakers, one of which is located on one side of the firewall and theother one of which is located on the other side of the firewall. AnIC-breaker is a function that can be either included in an application,or be a separate entity.

It is another object of the present invention to provide a method forthe transmission of IP data packets to a system inside a firewall.

It is another object of the present invention to provide apparatus forproviding access to a firewall protected network and a transmissionsystem including such an apparatus.

It is another object of the present invention to provide IC-breakersadapted for use with apparatus of the present invention.

It is another object of the present invention to provide acommunications system including the transmission system of the presentinvention, or operating in accordance with the method of the presentinvention.

According to a first aspect of the present invention, there is provided,a transmission system, adapted for the transmission of IP data packets,said system including an IP-network and a network protected by afirewall, said firewall being adapted to block incoming traffic to theprotected network, characterised in that said system further includesmeans for temporarily opening the firewall to enable IP data packets tobe transmitted through the firewall to the protected network.

The firewall may be adapted to be transparent to Ping (Internet controlmessage protocol ICMP)-packets; IP-traffic passing through the firewallfrom the inside thereof to the outside thereof; and, for a limitedperiod of time, IP-traffic, similar to that which is sent from theinside of the firewall to the outside of the firewall, passing throughthe firewall from the outside thereof to the inside thereof.

The means for temporarily opening the firewall may include first andsecond IC-breakers, located on opposite sides of said firewall, and saidIC-breakers may have a structure and functionality dictated by themanner in which said firewall is adapted to operate.

The first IC-breaker may be adapted, on receipt of an IP data packet, tostore said IP data packet; send a Ping IP-packet to the secondIC-breaker through the firewall; await receipt of a returned PingIP-packet from the second IC-breaker, said IP-packet opening thefirewall for a short period of time; and send said stored IP data packetthrough the open firewall to the second IC-breaker.

The second IC-breaker may be adapted to identify the size of a PingIP-packet received from a sender located outside of the firewall, saidsize being indicative of the type of packet which has been received andthe port via which it was received; return the Ping IP-packet to thesender, which opens the firewall for a limited period of time; awaitreceipt, from the sender, of an IP data packet for the protectednetwork, during said limited period of time said firewall is open; andsend the received IP data packet to the protected network.

The first IC-breaker may be located on the IP-network side of thefirewall, in which case, said second IC-breaker is located on theprotected network side of the firewall. The first IC-breaker may beadapted to receive IP data packets from IP-network equipments that aredestined for the protected network. The IC-breakers may be adapted, onreceipt, by said first IC-breaker, of a IP data packet for the protectednetwork, to communicate with each other, through the firewall, usingPing (ICMP)-packets, a Ping-packet returned by said second IC-breaker tosaid first IC-breaker temporarily opening the firewall for this type oftraffic, and said first IC-breaker may be adapted, on receipt of thereturned Ping-packet, to send the IP data packet through the openedfirewall to the second IC-breaker. The second IC-breaker may be adapted,on receipt of said IP data packet, to send the received packet to theprotected network.

According to a second aspect of the present invention, there isprovided, a transmission system, adapted for the transmission of IP datapackets, said system including an IP-network and a network protected bya firewall, characterised in that said firewall is adapted to allow aparticular type IP-packet to pass through the firewall to the protectednetwork; IP-traffic to pass through the firewall from the inside thereofto the outside thereof, said IP-traffic opening the firewall forIP-traffic for a limited period of time; and IP-traffic, similar to thatwhich is sent from the inside of the firewall to the outside of thefirewall, to be transmitted through the firewall to the protectednetwork during said limited period of time. The particular type ofIP-packet may be a Ping (ICMP)-packet.

The protected network may be a Local Area Network (LAN) and thetransmission system may be an Asynchronous Transfer Mode (ATM)transmission system, adapted for the transmission of IP data packets,using ATM as a carrier network.

According to a third aspect of the present invention, there is provided,in a transmission system, adapted for the transmission of IP datapackets, said system including an IP-Network and a network protected bya firewall, a method for the transmission of IP data packets to theprotected network, characterised by opening said firewall for a limitedperiod of time and by transmitting an IP data packet, through the openedfirewall, to the protected network.

The method may be characterised by said firewall allowing a particulartype of IP-packet to pass through; and IP-traffic to pass through, fromthe inside thereof to the outside thereof, said IP-traffic opening thefirewall for said limited period of time; and by transmitting said IPdata packet to said protected network during said limited period oftime, said IP data packet being similar to the IP-traffic which opensthe firewall for said limited period of time. The method may be furthercharacterised by said particular type of IP-packet being a Ping(ICMP)-packet.

The method may be characterised by said system including first andsecond IC-breakers, located on opposite sides of said firewall, and bysaid IC-breakers having a structure and functionality dictated by themanner in which said firewall operates. The method may be furthercharacterised by said first IC-breaker being located on the outside ofthe firewall and said second IC-breaker being located on the inside ofthe firewall, and by said first IC-breaker receiving and storing IP datapackets for the protected network; on receipt of said IP data packet,sending Ping IP-packets to the second IC-breaker through the firewall;awaiting receipt of a return Ping IP-packet from the second IC-breaker,said IP-packet opening the firewall for a short period of time; andsending said stored IP data packet through the open firewall to thesecond IC-breaker. The method may be further characterised by saidsecond IC-breaker identifying the size of a Ping IP-packet received fromsaid first IC-breaker, said size being indicative of the type of packetwhich has been received and the port via which it was received;returning the Ping IP-packet to said first IC-breaker, thereby openingthe firewall for a limited period of time; awaiting receipt, from saidfirst IC-breaker, of said IP data packet for the protected network,during said limited period of time said firewall is open; and sendingthe received IP data packet to the protected network.

The method may be characterised by said first IC-breaker being locatedon the IP-network side of the firewall and said second IC-breaker beinglocated on the protected network side of the firewall; said firstIC-breaker receiving and storing IP data packets from IP-networkequipments that are destined for the protected network; said IC-breakerson receipt, by said first IC-breaker, of a IP data packet for aprotected network, communicating with each other, through the firewall,using Ping (ICMP)-packets, a Ping-packet returned by said secondIC-breaker to said first IC-breaker temporarily opening the firewall forthis type of traffic; said first IC-breaker, on receipt of the returnedPing-packet, sending the IP data packet through the opened firewall tothe second IC-breaker; and said second IC-breaker, on receipt of said IPdata packet, sending the received packet to the protected network.

The method may be characterised in that said protected network is aLocal Area Network (LAN).

The method may be characterised in that said system is an AsynchronousTransfer Mode (ATM) transmission system, adapted for the transmission ofIP data packets, using ATM as a carrier network.

According to a fourth aspect of the present invention, there isprovided, apparatus for providing access to a firewall protectednetwork, characterised in that said arrangement includes means fortemporarily opening the firewall to enable IP data packets to betransmitted through the firewall to said protected network. The meansfor temporarily opening the firewall may include two IC-breakers,located on opposite sides of said firewall, and said firewall may beadapted to allow IP-traffic to be transmitted from the inside thereof tothe outside thereof, and communication between said IC-breakers using aPing service, a response to said Ping service temporarily opening thefirewall for the transmission of IP data packets to said protectednetwork.

The IC-breaker, located on the outside of said firewall, may be adaptedto store IP data packets destined for the protected network; send PingIP-packets to the other IC-breaker through the firewall; await receiptof a returned Ping IP-packet from said other IC-breaker, said IP-packetopening the firewall for a limited period of time; and send said storedIP data packet through the open firewall to said other IC-breaker.

The IC-breaker, located on the protected network side of the firewallmay be adapted to identify the size of a Ping IP-packet received from asender located outside the firewall, said size being indicative of thetype of packet which has been received and the port via which it wasreceived; return the Ping IP-packet to the sender, which opens thefirewall for a limited period of time: await receipt, from the sender,of an IP data packet for the protected network, during said limitedperiod of time said firewall is open; and send the received IP datapacket to the protected network.

A first one of said IC-breakers may be located on the outside of thefirewall and a second one of said IC-breaker is located on the protectednetwork side of the firewall, said first IC-breaker may be adapted toreceive and store IP data packets destined for the protected network,said IC-breakers may be adapted, on receipt, by said first IC-breaker,of a IP data packet for the protected network, to communicate with eachother, through the firewall, using Ping (ICMP)-packets, a Ping-packetreturned by said second IC-breaker to said first IC-breaker temporarilyopening the firewall for this type of traffic, said first IC-breaker maybe adapted, on receipt of the returned Ping-packet, to send the IP datapacket through the opened firewall to the second IC-breaker, and saidsecond IC-breaker may be adapted, on receipt of said IP data packet, tosend the received packet to the protected network.

According to a fifth aspect of the present invention, there is provided,an IC-breaker adapted for use with apparatus as outlined in precedingparagraphs, characterised in that said IC breaker includes means fortransmitting PING packets to an IC breaker located behind a firewall,means for storing a received IP packet, means for detecting receipt ofan IP packet from within said firewall, and means, operative in responseto receipt of an IP packet from within said firewall, to transmit IPstored packets.

According to a sixth aspect of the present invention, there is provided,an IC-breaker adapted for use with apparatus as outlined in precedingparagraphs, characterised in that said IC-breaker includes means foridentifying a received PING packet and determining an associated IPpacket type therefrom, means for transmitting an IP packet of the typeassociated with the received IP packet through the firewall, means forreceiving an IP packet transmitted through said firewall, and means fordistributing said IP packet to a predetermined address.

According to a seventh aspect of the present invention, there isprovided, a transmission system, adapted for the transmission of IP datapackets, said system including an IP-network and a network protected bya firewall, characterised in that said system includes an apparatus asoutlined in preceding paragraphs.

According to an eighth aspect of the present invention, there isprovided, a communications system including a transmission system, asoutlined in preceding paragraphs, or operating in accordance with amethod, as outlined in preceding paragraphs.

The foregoing and other features of the present invention will be betterunderstood from the following description with reference to the singleFIGURE of the accompanying drawings which diagrammatically illustrates atransmission system according to the present invention.

The single FIGURE of the accompanying drawings diagrammaticallyillustrates an example of how a SNMP (Switching Network ManagementProtocol)-TRAP can be distributed to a remote system which is inside afirewall. TRAP is an SNMP operation. In practice, the IP-plane controlentity, on recognizing an IP data flow, may be adapted to generate aSNMP-TRAP with information about the recognized IP data flow and itsattributes. An SNMP-TRAP may be used to issue an unconfirmednotification to downstream/upstream nodes of an ATM carrier network andSNMP SET/RESPONSE may be used when confirmation is sought by thetransmission system.

As is diagrammatically illustrated in the single FIGURE of theaccompanying drawings, a firewall, which is interposed between anIP-Network and a firewall protected network, for example, a Local AreaNetwork (LAN), is adapted to normally block incoming traffic, from anEquipment connected to the IP-Network, to a Remote System connected to afirewall protected network. The IP-Network includes an IC-breaker 1,which is adapted to receive and store an IP data packet from theIP-Network Equipment and to communicate, in a manner to be subsequentlyoutlined, with an IC-breaker 2. The IC-breaker 2 is adapted to send IPdata packets, received from IC-breaker 1, to the Remote System connectedto the LAN.

The problem with a firewall and other equipment is that it can be verydifficult to remotely control systems which are inside the firewall,i.e. the Remote System. An IC-breaker which is adapted to temporarilyopen the firewall for a special type of traffic, is a functionality thatcan be either included in an application, or in a separate entity. Thetransmission system of the present invention includes two IC-breakers,one of which is inside the firewall and the other one of which isoutside the firewall.

As is diagrammatically illustrated in the single FIGURE of theaccompanying drawings, the distribution of traffic from an equipmentoutside the firewall to a network user inside the firewall is effectedthrough use of IC-breaker 1 in association with IC-breaker 2. Inparticular, an IP data packet required to be transmitted from theIP-Network Equipment to the Remote System, is sent by the IP-NetworkEquipment to the IC-breaker 1. The received IP data packet is stored inthe IC-breaker 1. The stored IP data packet is then sent by IC-breaker 1to IC-breaker 2, which is situated inside the firewall, in a manneraccording to the present invention. On receipt of the IP data packet,IC-breaker 2 sends it to the Remote System.

The IC-breakers have a structure and functionality based on thefollowing properties of the firewall:

-   -   a ‘PING’ (Internet Control Message Protocol (ICMP)) packets can        always be sent through a firewall;    -   IP-traffic can always be transmitted from the inside of a        firewall to the outside of the firewall; and    -   if IP-traffic is sent from the inside of a firewall to the        outside of the firewall, similar IP-traffic can be transmitted        to the network protected by the firewall during a limited period        of time.

As stated above, the Ping service which, in Windows, can be run on DOS,enables a network equipment to sends messages, in the form of datapackets, to a computer with which contact is required. If the computeris connected to the network, the computer, on receipt of a Ping packet,sends it back to the network equipment. If the data packet is notreturned, the network equipment will know that the computer is notconnected to the network.

A method, according to the present invention, for the distribution of aSNMP-TRAP to a network inside a firewall, i.e. the Remote System of theLAN, will now be described with reference to the single FIGURE of theaccompanying drawings. The steps of this method, which are illustratedin the single FIGURE of the drawings by the lines numbered 1 to 5, areas follows:

-   -   the IP-Network Equipment sends an IP data packet to IC-breaker        1, as shown by line 1, the data packet being stored in        IC-breaker 1;    -   on receipt and storage of the IP data packet, IC-breaker 1 sends        a series of Ping (ICMP) packets (messages) to IC-breaker 2 (see        line 2)—Ping (ICMP) packets can always be sent through a        firewall;    -   on receipt of the Ping (ICMP) packets, IC-breaker 2 sends an IP        data packet back to IC-breaker 2 (see line 3), which opens the        firewall temporarily for this kind of traffic—IP-traffic can        always be transmitted from the inside of a firewall to the        outside of the firewall;    -   IC-breaker 1 sends the IP data packet, for the Remote System of        the LAN, through the opened firewall to IC-breaker 2 (see line        4); and    -   on receipt of the IP data packet, IC-breaker 2 sends the IP data        packets to the Remote System of the LAN, as shown by line 5.

It will be seen from the foregoing description that, in accordance withthe present invention an arrangement and method is provided for gainingaccess to a firewall protected network, i.e. the Remote System of theLAN, and that means are provided for temporarily opening the firewall toenable IP data packets to be transmitted therethrough to the protectednetwork.

In particular, the means for temporarily opening the firewall includetwo IC-breakers, IC-breaker 1 and IC-breaker 2, located on oppositesides of said firewall, that the functional arrangements for thefirewall is such that it allows IP-traffic to be transmitted from theinside thereof to the outside thereof, and communication to be effectedbetween the two IC-breakers using a Ping service, and that a response tothe Ping service temporarily opens the firewall for the transmission ofIP data packets to the protected network. The IC-breaker functions areshown in the following table:

Arriving IP data packet Arriving Ping-packets Send a number ofPing-packets to an Identify the packet size of the IC-breaker inside thefirewall; the Ping-packets which indicates the packet size beingindicative of the type of IP-packets, associated type of packet whichhas been with the Ping-packets, and a received and the port via which itwas particular port via which it was received. received. Await receiptof an IP-packet from an Send to the IC-breaker, outside IC-breaker whichpings, i.e. responds the firewall, a packet of the type to thePing-packets. The received IP- which has been identified. This packetcausing the firewall for a short will cause the firewall to open periodof time and thereby allow an IP for a short period of time. data packetto pass through the firewall, from the outside to the inside. Send theoriginal IP data packet Await receipt of an IP data through the openedfirewall to the IC- packet from the IC-breaker breaker inside thefirewall for onward outside the firewall and, on transmission to theintended recipient receipt, send the IP data packet at a predeterminedaddress. to a predetermined address, for example, a remote computersystem.

It will also be seen from the foregoing description that the presentinvention provides a transmission system, for example, an ATMtransmission system, which is adapted for the transmission of IP datapackets, and which includes an IP-network, a network protected by afirewall, and means for gaining access to a firewall protected network.

1. A transmission system configured to transmit IP data packets,comprising: an IP network; a protected network protected by a firewallconfigured to block incoming traffic to the protected network; a firstIC-breaker; and a second IC-breaker; wherein said first and second ICbreakers are configured to open the firewall to allow the IP datapackets to be transferred through the firewall to the protected network;said first IC-breaker is located on a IP network side of the firewalland the second IC-breaker is located on a protected network side of thefirewall, and said firewall is transparent to a particular type IP datapacket, configured to communicate between said first and secondIC-breakers through the firewall by using said particular type IP datapacket; said first IC-breaker is configured to receive the IP datapackets from the IP network, the IP data packets intended for theprotected network, and said first IC-breaker is configured to send theparticular type IP data packet to said second IC-breaker after receptionof the particular type IP data packet; and said first IC-breaker isfurther configured to open the firewall for a time period at receptionof a returned particular IP data packet from the second IC-breaker, andsaid returned particular IP data packet is sent before the firewallopens through the firewall to the second IC-breaker, and the secondIC-breaker is configured to send the particular type IP data packet tothe protected network after receiving the particular type IP datapacket; and said particular IP data packet is a ping-packet, whereinsaid second IC-breaker is configured to identify a size of theping-packet received from a sender in a form of an IC-breaker, said sizebeing indicative of a type of packet which has been received and a portvia which it was received.
 2. The transmission system according to claim1, wherein said firewall is configured to be transparent toIP-communication through the firewall from a protected network side toan IP network side thereof, and, during the time period, open toIP-communication through the firewall from the IP network side to theprotected network side thereof.
 3. The transmission system according toclaim 1, wherein said first IC-breaker is configured, on receipt of anIP data packet, to store said particular type IP data packet and to sendsaid stored IP data packet through the firewall to the secondIC-breaker, when the firewall has been opened.
 4. The transmissionsystem according to claim 1, wherein said protected network is a LocalArea Network.
 5. A transmission system, as claimed in claim 1, whereinsaid system is an Asynchronous Transfer Mode ATM transmission system,configured to transmit IP data packets, using ATM as a carrier network.6. A method for using a transmission system transmitting IP data packetsfrom an IP-network to a protected network protected by firewall, saidmethod comprising: receiving and storing an IP data packet by a firstIC-breaker located on an IP-network side of the firewall; transmittingthe IP data packet by said first IC-breaker to a second IC-breakerlocated on a protected network side of the firewall through thefirewall, on receipt of a particular type IP data packet; opening thefirewall by said particular type IP data packet for a period of timewhile awaiting receipt of said particular type IP data packet from saidsecond IC-breaker; sending said stored IP data packet through the openfirewall to said second IC-breaker; and identifying by said secondIC-breaker a size of the particular type IP data packet received fromsaid first IC-breaker, said size being indicative of a type of IP datapackets which have been received and a port via which the data packetwas received; wherein said particular type IP data packet is aping-packet.
 7. The method according to claim 6, further comprising:returning the particular type IP data packet from said second IC-breakerto said first IC-breaker, thereby opening the firewall for the period oftime; awaiting reception, by said second IC-breaker, of said IP datapacket for the protected network sent from said first IC-breaker, duringsaid period of time the firewall is open; and sending the received IPdata packet to the protected network by said second IC-breaker.
 8. Themethod according to claim 6, wherein said protected network is a LocalArea Network.
 9. The method according to claim 6, wherein saidtransmission system is an Asynchronous Transfer Mode ATM transmissionsystem, configured to transmit IP data packets, using ATM as a carriernetwork.
 10. An apparatus configured to provide access to a firewallprotected network, comprising: means for opening the firewall to enableIP data packets to be transmitted through the firewall to said protectednetwork, wherein said means for opening the firewall includes a firstand second IC-breaker located on opposite sides of said firewall, andwherein said firewall is configured to allow IP-traffic from a protectedside thereof to another side, and communication between said first andsecond IC-breakers using a Ping service, a response to said Ping serviceopening the firewall for transmission of IP data packets to saidprotected network; wherein said second IC-breaker is configured toidentify a size of a ping-packet used by the Ping service received froma sender in a form of an IC-breaker, said size being indicative of atype of packet which has been received and a port via which it wasreceived.
 11. The apparatus according to claim 10, wherein the firstIC-breaker, located on an IP-network side of said firewall, isconfigured to: store IP data packets destined for the protected network;send ping-packets to the second IC-breaker through the firewall; awaitreceipt of a returned ping-packet from the second IC-breaker, saidreturned ping-packet opening the firewall for a period of time; and sendsaid stored IP data packets through the open firewall to said secondIC-breaker.
 12. The apparatus according to claim 10, wherein the firstIC breaker is located on an IP-network side of the firewall and that thesecond IC-breaker is located on the protected network side of thefirewall, wherein said first IC-breaker is configured to receive andstore IP data packets destined for the protected network, wherein saidfirst and second IC breakers are configured, on receipt, by said firstIC-breaker, of a IP data packet for the protected network, tocommunicate with each other, through the firewall, using ping-packets,one of said ping-packets returned by said second IC-breaker to saidfirst IC-breaker opening the firewall for this type of traffic, andwherein said first IC-breaker is configured, on receipt of the returnedping-packet, to send IP data packets through the opened firewall to thesecond IC-breaker, and wherein said second IC-breaker is adapted, onreceipt of said IP data packet, to send the received packets to theprotected network.
 13. The apparatus as claimed in claim 10, whereinsaid IC-breaker includes: means for transmitting ping-packets to atleast one of the first or second IC-breaker, located behind a firewall;means for storing received IP data packets; means for detecting receiptof said IP data packets from within said firewall; and means, operativein response to receipt of IP data packets, to transmit stored IP datapackets.
 14. The apparatus as claimed in claim 10, wherein saidIC-breaker includes: means for identifying a received ping-packet anddetermining an associated IP data packet type thereto; means fortransmitting IP data packets of said associated IP data packet typethrough the firewall; means for receiving the IP data packetstransmitted through said firewall; and means for distributing at leastone of said IP data packets to a predetermined address.
 15. Atransmission system configured to transmit IP data packets, said systemincluding: an IP-network protected by a firewall; means for opening thefirewall to enable IP data packets to be transmitted through thefirewall to said protected network, wherein said means for opening thefirewall includes a first and second IC-breaker located on oppositesides of said firewall, and wherein said firewall is configured to allowIP-traffic from a protected side thereof to another side, andcommunication between said first and second IC-breakers using a Pingservice, a response to said Ping service opening the firewall fortransmission of IP data packets to said protected network; wherein saidsecond IC-breaker is configured to identify a size of a ping-packet usedby the Ping service received from a sender in a form of an IC-breaker,said size being indicative of a type of packet which has been receivedand a port via which it was received.
 16. A transmission systemconfigured to transmit IP data packets, said system comprising: an IPnetwork; a protected network protected by a firewall configured to blockincoming traffic to the protected network; a first IC-breaker; and asecond IC-breaker; wherein said first and second IC breakers areconfigured to open the firewall to allow the IP data packets to betransferred through the firewall to the protected network; wherein saidfirst IC-breaker is located on a IP network side of the firewall and thesecond IC-breaker is located on a protected network side of thefirewall, and said firewall is transparent to a particular type IP datapacket, configured to communicate between said first and secondIC-breakers through the firewall by using said particular type IP datapacket; said first IC-breaker is configured to receive the IP datapackets from the IP network, the IP data packets are intended for theprotected network, and said first IC-breaker is configured to send theparticular type IP data packet to said second IC-breaker after receptionof the particular type IP data packet; said first IC-breaker is furtherconfigured to open the firewall for a time period at reception of areturned particular IP data packet from the second IC-breaker, and saidreturned particular IP data packet sent before the firewall opensthrough the firewall to the second IC-breaker, and the second IC-breakeris configured to send the particular type IP data packet to theprotected network after receiving the particular type IP data packet;and said second IC-breaker is configured to identify a size of theparticular type IP data packet received from a sender in a form of anIC-breaker, said size is indicative of a type of packet which has beenreceived and a port via which the particular type IP data packet wasreceived.
 17. A method for using a transmission system transmitting IPdata packets from an IP-network to a protected network protected byfirewall, said method comprising: receiving and storing an IP datapacket by a first IC-breaker located on an IP-network side of thefirewall; transmitting the IP data packet by said first IC-breaker to asecond IC-breaker located on a protected network side of the firewallthrough the firewall, on receipt of a particular type IP data packet;opening the firewall by said particular type IP data packet for a periodof time while awaiting receipt of said particular type IP data packetfrom said second IC-breaker; sending said stored IP data packet throughthe open firewall to said second IC-breaker; identifying by said secondIC-breaker a size of the particular type IP data packet received fromsaid first IC-breaker, said size being indicative of a type of IP datapackets which have been received and a port via which the data packetwas received; returning the particular type IP data packet from saidsecond IC-breaker to said first IC-breaker, thereby opening the firewallfor the period of time; awaiting reception, by said second IC-breaker,of said IP data packet for the protected network sent from said firstIC-breaker, during said period of time the firewall is open; and sendingthe received IP data packet to the protected network by said secondIC-breaker.
 18. Apparatus for providing access to a firewall protectednetwork, comprising: means for opening a firewall to enable IP datapackets to be transmitted through the firewall to said protectednetwork, wherein said means for opening the firewall includes a firstand second IC-breaker located on opposite sides of said firewall;wherein said firewall is configured to allow IP-traffic from a protectedside thereof to another side, and communication between said first andsecond IC-breakers use a ping service, a response to said ping serviceopening the firewall for transmission of IP data packets to saidprotected network; wherein the second IC-breaker, located on theprotected network side of the firewall is configured to: identify a sizeof a ping-packet received from the first IC-breaker, said size beingindicative of the type of packet which has been received and a port viawhich the ping-packet was received; return the ping-packet to the firstIC-breaker, which opens the firewall for a period of time; awaitreceipt, from the first IC-breaker, of said IP data packet for theprotected network during said period of time said firewall is open; andsend the received IP data packets to the protected network.
 19. Atransmission system according to claim 1, wherein said period of time isat least a duration of a transmission of the IP data packets through thefirewall by said first or second IC breaker.
 20. A transmission systemaccording to claim 6, wherein said period of time is at least a durationof a transmission of the IP data packets through the firewall by saidfirst or second IC breaker.
 21. An apparatus for providing access to afirewall protected network according to claim 11, wherein said period oftime is at least a duration of a transmission of the IP data packetsthrough the firewall by said first or second IC breaker.
 22. Atransmission system according to claim 1, wherein said ping-packet is aninternet control message protocol packet ICMP.
 23. A transmission systemaccording to claim 6, wherein said ping-packet is an internet controlmessage protocol packet ICMP.